Method Of Decrypting An Electronic Document For The Safety Management Of The Electronic Document

ABSTRACT

A method of encrypting/decrypting the document and a safety management storage device and system method of its safety management, using for the safety management of electronic documents, the said system comprising a PC or mainframe installed with common reading software and a storage device of safety management connected to the said PC/mainframe through hot-plug; when connected to the mainframe, the said storage device is enumerated as a USB CDROM device at least. The user owns the said storage device can encrypt the electronic documents by using the encryption keys to generate an encrypted document with the same file type, also can open the encrypted document by using common reading software, and then use the document according to the predetermined operation authority.

RELATED APPLICATIONS

The present application is a divisional patent application of U.S.patent application Ser. No. 12/067,650, filed Mar. 14, 2008, entitled “AMethod Of Encrypting/Decrypting The Document And A Safety ManagementStorage Device And System Method Of Its Safety Management” and nowissued as U.S. Pat. No. 8,296,585, which is a 35 U.S.C. §371 nationalphase application of PCT International Application No.PCT/CN2006/002491, having an international filing date of Sep. 22, 2006,which was published in the English language as PCT InternationalPublication No. WO 2007/033604, and claims priority to Chinese patentapplication Serial No. 200510037541.2, filed Sep. 22, 2005, all of whichare incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates to the electronic digital data processingtechnology, especially relates to the encryption and decryption of thedocument and the storage device and system method of its safetymanagement.

BACKGROUND

Nowadays, most of the confidential information of the enterprises isloaded in the carrier such as electronic document, and the electronicdocument can be handed out easily. The enterprises can prevent theoutsider from accessing the confidential document with the aid ofsetting up a fire wall or establishing a special net, but these measurescan not prevent the leakage of secret resulted from the secondarypropagation of the electronic document. The leaders of the company havea lot of misgivings toward the safety of these electronic documents:

-   -   How to prevent the confidential information, such as documents        of the board of directors, program budget, purchase and        separation from being disclosed?    -   How to prevent the key person from copying the confidential        document while demission?    -   Through what kind of technical means can those high-leveled        staff deliver the document information between each other        trustfully?    -   How to prevent the tender and price list from being leaked        unconsciously to competitor after being affected by the virus?    -   How to find the telltale channels after the leakage happened?

Aiming at the problems above, the effect of the password encryptionwhich is used till now in document tools such as WORD and PDF islimited, therefore, software companies put out many solutions. Somesystems such as the Alpab document publishing system that produced bythe Beijing Founder Electronic Co. Ltd and the safety management systemof document that produced by the Shanghai Frontiertech Co. Ltd are morefamous. Both of them adopt high intensity methods of encryptingdocuments, preserving the encrypted document in the management server ofthe document inside the enterprises, and then realizing the safetymanagement through the special software in the document server port andclient port, thereby controlling the operation which aiming at thedocuments of read, print, modification, reserve, anti-copy and screenshot etc. As for the confidential document which is lost at the secondpropagation, the operator can not open it because of lacking specialsoftware and key.

FIG. 1 is the organization sketch of the safety management system ofdocument produced by the Frontiertech. The structure of the system is assaid above, and can realize the function in the following:

-   -   Control the legal users' access right of operating the document,        including print, copy and preservation, then prevent the        document from spreading at the second propagation.    -   It has dynamically centralized authority management in the        system, the access rights that have been distributed to the        users can be withdrew or modified.    -   The encrypted documents that have been leaked to the outside can        not be opened by everyman.    -   The operating platform can be established on plenty of operation        system bases, such as Windows 98/Me/2k/Xp/2003.    -   Different kinds of office software (such as WORD, EXCEL) of the        Microsoft company and other popular software (like but not limit        to: PDF, AutoCAD) that used to handling variety of formatted        text or picture file can be supported.    -   The international standard AES-128 of the cryptographic        algorithm can be adopted to encrypt the document.    -   The OAS, such as Domino, AD, PKI, KM and so on, can be        integrated at the same time.    -   The detailed access record of the document can be generated.    -   The capture or interception of the confidential information by        using the screen copy key or screen shot software can be        limited.

FIG. 2 is the inner framework sketch of the said system. It adopts theclient-server structure, comprising EDG server and EDGViewer softwarewhich is installed on the client port, while using the document at theclient port, the said software can realize following functions:

-   -   The print and copy of the document can be controlled (only the        authorized can print and copy).    -   The operation of preservation and save copy as can be controlled        (only the authorized can preserve).    -   The use of screen copy or screen shot software can be limited or        prevented.    -   The effective hours of using the document can be controlled.

The said software can realize additional senior functions:

-   -   On the premise of limiting the user' read, appointing the        machine that used for reading (such as, realize it through        binding the machine hardware fingerprint).    -   Monitor the use's operation, and track down the telltale        channels combined with the watermark technology.

The above-mentioned present art of document safety management havehigher security while being used in the inner net, but it still hasseveral insurmountable shortcomings:

-   -   1. The said system of the client-server structure generally        preserves encrypted document and the encryption key of each        encrypted document in the document server, limiting the use of        the inside document within the trusty range in the outside. For        example, the production component list or other technical        information of an enterprise can not be used by the production        plant, cooperative partner and the inner employees at home or on        business trip.    -   2. The encrypted document preserved by the said document server        is the special formatted document which got by encrypting and        transforming the normal document, its easy-to-use function is        bad, so it need a special document reading software. Therefore        the more complicated software is needed to be installed both on        the client port and server port.    -   3. The security of the said special document reading software        becomes the focus and weak point of the said system, if it is        attacked or broken, the document management of the said system        will lose security.    -   4. The cost of investing and maintaining the document server and        the whole document safety management software is high, so that        the small enterprises and individual users can not afford it.

BRIEF SUMMARY

Aiming at the shortcomings of the above-mentioned technologies, thetechnical matters that present invention has to solve is to put forwarda method of encrypting/decrypting the document and a storage device andsystem method of its safety management, providing for users a safetymanagement method of office document and confidential document with highsecurity, easy use and low cost, and meanwhile solve the disclosureproblems of secondary propagation of the document, as well as permit theinside document used within the trusty range in the outside.

In order to solve the above-mentioned technical matters, the basicconception of the present invention is: the document governors canencrypt an electronic document which contains confidential informationby encryption key, and generate an encrypted document of the same typeof the file; the document governors can use the portable equipment (suchas, storage device with USB interface) with data protection function tocarry and distribute the encryption authorization and the use rights ofthe document; Only those who have the said storage device (including thedocument governor and other trusty users) can open the said encrypteddocument with the help of a common text, picture or music readingsoftware, such as (but not limit to) Microsoft Word, Acrobat Reader,ACDsee, Winamp or Realplay. In order to facilitate the centralizeddynamic management of the authority, the authority saved in the saidstorage device can be updated through the net or PC/mainframe. In thisway, the user and the range of using the document can be limited throughcontrolling the distribution of the portable equipment, and variouskinds of confidential electronic document can be guaranteed to receivehigh-intensity protection through mutual coordination of hardware andencryption software, and the safe authority management of read, print,duplication, save as and screen shot etc. can be realized.

The first technical scheme of realizing the conception of the presentinvention is to put forward a method of encrypting the document for thesafety management of the electronic document, the steps comprise :

-   -   A. Set up or install the encryption program on a PC or        mainframe;    -   B. Operate the PC/mainframe to read the data of an electronic        document which will be encrypted ;    -   C. Encrypt the said data by using an encryption key;

Especially Comprising the Step:

-   -   D. Generate an encrypted electronic document which has the same        file type as the said electronic document.

The second technical scheme of realizing the conception of the presentinvention is to put forward a method of decrypting the document for thesafety management of the electronic document, the steps comprise:

-   -   A. Download or store the encrypted electronic document into the        storage unit of a PC or mainframe;    -   B. Finish the installation of a common reading software        corresponding to the file type of the said electronic document        on the said PC/mainframe;

Especially Comprising the Step:

-   -   C. Connect a storage device with the content of decryption        authority to the said PC/mainframe;    -   D. The storage device is recognized by the said PC/mainframe,        the document decryption program which is in the said storage        device is run automatically;    -   E. The said document decryption program automatically take over        the scheduled operation run by the said common reading software;    -   F. Run the said common reading software to open the said        encrypted electronic document, operate the document within the        predetermined range of the rights.

The third technical scheme of realizing the conception of the presentinvention is to put forward a safety management storage device for thesafety management of the electronic document, comprising a USB interfacecircuit, control unit and storage unit connecting with the said controlunit, especially comprising an integrated circuit module connected withthe said control unit, providing a unique identifier which candistinguish the said device from other same kind of devices.

The fourth technical scheme of realizing the conception of the presentinvention is to put forward a safety management system of the electronicdocument, comprising a personal computer or mainframe which installedwith a common reading software, especially comprising a storage deviceof safety management can be connected with the said PC/mainframe by hotplugging; the said storage device comprises a USB interface circuit,control unit and a storage unit connecting with the said control unit,and an integrated circuit module connecting with the said control unitproviding a unique identifier that can distinguish the said storagedevice from the other same kind of devices; While connected with thesaid PC/mainframe, the said storage device should be enumerated as a USBCDROM device at least.

The fifth technical scheme of realizing the conception of the presentinvention is to put forward a safety management methods of electronicdocument, especially comprising the steps:

-   -   A. Set up at least a storage device of safety management, write        at least one encryption or decryption key into its storage unit.    -   B. Distribute the said storage device of safety management to        the predetermined users;    -   C. The said predetermined users connect the said storage device        of safety management to a PC/mainframe with Windows operation        system, then the said device should be enumerated as a USB CDROM        device at least by the system;    -   D. The loading program, in the said storage device of safety        management, inject the encryption or decryption module into the        scheduled program process of the said common reading software in        the PC/mainframe operation system through the technology of        remote thread injection and the technology of function hook, so        as to take over the scheduled operation ran by the said common        reading software;    -   E. The said predetermined users encrypt the electronic document        of predetermined file type to generate encrypted electronic        document with the same file type, or open the encrypted        electronic document of the predetermined file type by using the        said common reading software; Wherein, the said predetermined        file type is the sustainable file type of the said common        reading software.

Adopting the above-mentioned technical schemes, a safety managementsystem of document with high security and easy use can be established,without the need of installing the special safety management software ofthe document and with the advantages of high controllability and lowcost of investment and maintenance.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is the organization sketch of safety management system ofdocument produced by the Frontiertech.

FIG. 2 is the inner framework sketch of the system in FIG. 1

FIG. 3 is the sketch of the safety management system of document of thepresent invention.

FIG. 4 is the flow sketch of safety management method of the document.

FIG. 5 is sketch of choosing the optional item of encryptiontransformation to encrypt.

FIG. 6 is the electric diagram of the storage device of safetymanagement of the present invention.

DETAILED DESCRIPTION

The present invention is further described in the following, combiningwith the most preferable embodiment shown in the figures.

The safety management of the document of present invention shown in FIG.3, comprising a storage device 100 of safety management, PC or mainframe102 (hereafter referred to as simply PC/mainframe or mainframe)installed with a common reading software and ancillary equipment such asa printer 106 or monitor 104 etc.; the said storage device 100 of safetymanagement is the key element of the system to realize the safetymanagement of the document, it is set as a “USB mass storage device”device (aiming at the environment of WINDOWS operation system) inadvance, comprising a USB interface circuit 108 and control unit 110,thus, it can be connected to the mainframe by hot plugging. While thedevice 100 is connected to the mainframe 102, it can be detected by themainframe operation system 112 and be enumerated at least as a USB CDROMdevice according to the protocol, (since it is the present art thatconforming to the USB standard and the WINDOWS operation systemenvironment, unnecessary details are not given here). The said storagedevice 100 of safety management can also adopt other interface circuits,such as 1394, UWB, PCI or Bluetooth, when it must be accordinglyequipped and installed with in the mainframe 102 a driver program whichtransforms those said interfaces into USB interface, otherwise, the saiddevice 100 can not appear as a USB CDROM device. In purpose of simplestatement, the said storage device 100 of safety management refers tothe one comprising the USB interface circuit 108 if there is noadditional description below.

The said storage device 100 of safety management also comprising astorage media 114 which connects with the said control unit 110,consisting of the common (but not limit to) physical devices of NANDFLASH, AND FLASH or NOR FLASH etc. An independent and invisible area116, 118 is defined in the said storage media 114 to store differentkinds of encryption keys or decryption keys, in order to prevent thesedata from simple physical duplication. The ordinary data includingencryption software and decryption software data can be put into thevisible area 120, 122. While the said storage device 100 is connected tothe mainframe 102, the encryption software don't need to be installed,it can run automatically and through the technology of CDROM updating online which conforms to the SCSI (small computer serial interface) addthe software function or amend the safety loophole.

The said storage device 100 of safety management can also comprise anintegrated circuit module 124 which connects with the said control unit110, providing a unique identifier (ID number) which can distinguish thesaid device 100 from other devices of the same type, preventing theencryption key from further physical duplication: While the said USBcontrol unit 110 receives the order of writing an encryption key orother key data into the storage media 114, the ID number of the saidstorage device 100 of safety management should be read first, then afterpredetermined transformation, be used for encrypting the data which willbe wrote in, then the operation of writing the storage media 114 can bedone.

FIG. 6 is the present embodiment of the electric diagram of the storagedevice 100 of safety management. Wherein, the said USB control unit isrealized by the integrated circuit U1 600, the said ID number isprovided by the integrated circuit U2 602 (e.g. but not limit toDS2411); the storage media comprises the storage chip U3 604. The saidUSB interface circuit comprises the connect-plug terminator J4 606 whichelectrically connects with the U1 600.

For data security, random numbers can be adopted to encrypt the key data(e.g. encryption key) in the communication process between the mainframe102 and the storage media 114 during the running of encryption software,so to prevent the key data from being broken illegally. Taking theencryption key read by the mainframe 102 for example, the ID number ofthe storage device 100 of safety management should be read by the USBcontrol unit 110 to do relevant transform, then be used to decrypt thedata of encryption key which is read; After that, the mainframe 102,through the encryption software, shakes hands with the control unit 110to mutual interchange a random number which is produced by themselves;then the said control unit 110 use the data transformed from these tworandom numbers to encrypt the decrypted encryption key, then pass theencrypted data to the mainframe 102 through the encryption software.Thus, the normal illegal software can not elicit the encryption key bysimulate answering and break the encryption software.

The unique identifier setting for the said storage device 100 of safetymanagement and the encrypted storage, and the method of using the randomnumber for encryption in the communication process will enhance thesafety degree of the whole management software of the document.

In order to satisfy the need of multiple levels of document safetymanagement of enterprise users, the said storage device 100 of safetymanagement can be distinguished into parent device and subsidiarydevice, endowed with different management authority. The parent devicecan be managed or stored by the operator in the document control center,there are a plurality of certified encryption keys saved in its storagemedia 114; The document encryption authority can be set (e.g. whether toset the restriction of printing or not, set reading prohibition to thesubsidiary device, or set the times of allowing the subsidiary device toread) while using the device to encrypt the document. Each of thesubsidiary devices can be distributed to the trusty users, theencryption key which is stored in its storage media comes from theparent device, standing for a certain use authority. The subsidiarydevice can also be used to encrypt the document, but the encrypteddocument prohibits all operations except reading. In order to manage thesystem conveniently, a further appointment can be made in the managementsoftware: the encryption key only can be transmitted from the parentdevice which inserted on one mainframe to the subsidiary device, or bebacked between the parent devices; the encryption key saved in thesubsidiary devices can not be duplicated and transmitted between eachother. Besides, because a plurality of encryption keys are supported bythe said parent device and subsidiary device, and that which encryptionkey would be chosen is unfixed while encrypting the document, in orderto promise to decrypt every encrypted document, the serial numberinformation of the chosen key should be contained in the encryptioninformation of the encrypted document. In order to facilitate thecentralized and dynamic authority management, the authority saved in thesaid storage device of safety management can be updated throughmainframe 102 or net; e.g. the use right of the predetermined storagedevice 100 of safety management can be logged out remotely through net:while the said storage device 100 of safety management is wrote into ascheduled invalid data, the said encryption key and the associationinformation (e.g. but not limit to decryption key) will be invalid.

In order to be clearly illustrated, the above scattered description ofthe safety management methods of electronic document can be sum up infollowing steps, comprising:

-   -   A. Set up at least a storage device 100 of safety management,        write at least one encryption or decryption key into its storage        unit 114.    -   B. Distribute the said storage device 100 of safety management        to the predetermined users;    -   C. The said predetermined users connect the said storage device        100 of safety management to a PC/mainframe with Windows        operation system, then the said device 100 should be enumerated        as a USB CDROM device at least by the system;    -   D. The loading program, in the said storage device 100 of safety        management, inject the encryption or decryption module into the        scheduled program process of the said common reading software in        the PC/mainframe operation system 112 through the technology of        remote thread injection and function hook, so as to take over        the scheduled operation ran by the said common reading software;    -   E. The said predetermined users encrypt the electronic document        of predetermined file type to generate encrypted electronic        document with the same file type, or open the encrypted        electronic document of the predetermined file type by using the        said common reading software; Wherein, the said predetermined        file type is the sustainable file type of the said common        reading software.

In order to guarantee the encrypted document can not be read after thesaid storage device 100 of safety management is lost or the use right islogged out, while encrypting the electronic document, the said step Ecan set the authority information comprising the times of reading thedocument or the reading time etc, and the encryption informationcomprising the serial number of the keys; The said common readingsoftware is managed under the operation authority after the encryptedelectronic document is opened. Take the setting of times for example,the limited times descend while the users decrypt and read the documentevery time; when it descends to zero, the said storage device 100 ofsafety management can not be used for decrypting. If it adopts timerrestriction, the timer will be read in every time decrypting, if it isjudged to be out of date, the use right of the said storage device 100of safety management can also be logged out.

FIG. 4 is the flow sketch of the safety management method 400 of thedocument, applying to the client port of the individual user or theenterprise (they will be called operators in the following), thedocument can be encrypted or decrypted on any of the mainframe installedwith common reading software. The operators should obtain 402 the saidstorage device of safety management first; while the storage device ofsafety management connected to the mainframe, the said mainframe detect404 it, and enumerate the device at least as a USB CDROM device, thenrunning 406 the decryption or encryption program which stored in thedevice automatically, injecting the encryption or decryption module intothe scheduled program process of the said common reading software inmainframe operation system through the technology of remote threadinjection and the technology of and function hook, taking over theoperation ran by the common reading software ; the operator can choose410 to encrypt 412 a document to generate an encrypted electronicdocument while he choosing the document; if the chosen document isjudged 414 as an encrypted electronic document, the decryption modulecan be chose to decrypt 416 the data of the said document and read theinformation of the operation right, then the operator can use 418 thecommon reading software to show and operate 420 the document. If thesaid storage device of safety management is pulled out of the mainframe,the said mainframe operation system will automatically log out thecorresponding opening operation right of the document it takes over(delete the optional item of encrypting transformation in the operatingprompt-menu of right-hand key click of the document at the same time),restore the normal operation 422 of the common reading software, thenormal document can be opened and the relevant operation comprisingread, print, clipboard work and screen shot etc. can be done; but for achosen encrypted document, when opened, only unreadable codes would beshowed.

More specifically, the document encrypting method of the said electronicdocument safety management of present invention comprising followingsteps:

-   -   A. Set up or install 406 the encryption program on a PC or        mainframe;    -   B. Operate 416, 418 the PC/mainframe to read the data of an        electronic document which will be encrypted;    -   C. Encrypt the said data 410 by using an encryption key;    -   D. Generate an encrypted electronic document 412 which has the        same file type as the said electronic document.

Wherein, the said PC/mainframe can be configured with Windows operationsystem, comprising Windows 2000 or Windows XP. The encryption program(comprising encryption module and its loading program) can be stored ina storage device (e.g., the said storage device 100 of safety managementin the present embodiment) or also can be installed on the mainframe102. Take the former as an example, while the storage device 100 isconnected to the mainframe 102 and enumerated as a USB CDROM device bythe system, because the system has the function of playing CDROMautomatically (if not, operator can enable this function in advance),the encryption program runs automatically and registers a plug-inprogram in the system, so after that the users can choose a document ofa predetermined file type, and use the right-hand key of the mouse toclick, it will add an optional item of encrypting transformation (showedin FIG. 5: Convert to filedog document . . . ) in the operatingprompt-menu, then relate to and take over the opening program for thedocuments with this type. Thus, the said step B can also comprise theprocess: operate the mainframe 102 to choose the electronic documentwhich will be encrypted; then choose the encrypting transformationoption in the hint menu of the document operation; the mainframe 102will read the document data in the end. Of course, the said step B canalso be combined with the common reading software, choosing the documentwhich will be encrypted first, and then opening the document throughusing the said common reading software, the encryption and saveoperation will be done on the interface of said software.

In order to finish the above-mentioned processing and increase thesecurity at the same time, the loading program which is in the saidencryption program doesn't encrypt and decrypt the document by itself;apart form registering the said plug-in program in the system, itinjects the encryption module in the corresponding program processing inthe operation system. Of course the encryption module can run in theencryption program directly without being injected to other process.Taking the Windows 2000 or above operation system for examples, theexplore.exe process can be used (but not limited). Because the saidprocess is a permanent registering process (while the operation systemstarts, it runs with the system and can not be closed), the saidencryption module can be injected into the said processing throughremote thread injection technology and function hook technology, takingover the core read-write function. The said function hook technology isa technology which enables the said running function skip to other entryaddresses to carry out a specific function through dynamically modifyingthe particular function initial address which got at the time of theprogram or the binary system document of the dynamic library beingloaded to the memory space for running. Both of the technologies areprovided on the Windows operation system platform of Microsoft. Theremote thread injection can be realized through the CreateRemoteThreadfunction provided by the system, (see the MSDN exploitation document ofMicrosoft for details). The function hook technology has many realizingways, e.g. using the standard information hook technology and Detoursprovided by the Microsoft, or Windows API Hook exploited by the somedomestic developers to realize it. Wherein, the information hooktechnology can be realized through the SetWindowsHookEx function of thesystem. Detours is a kind of specialized provided technology, see theissued document((Detours: Binary Interception of Win32 Function) on thethird “USE NIX Windows NT” seminar, held in Seattle, Washington, July1999. It needn't to give unnecessary details here. There are also someprofessional documents which introducing the API Hook technology onwebsites including www.pcdog.com. The technical theory of thoserealizing ways is essentially the same, using the write function whileencrypting the document, to finish the additional encryption workautomatically first, then write the encrypted electronic document datawhich need to be stored into the mainframe storage unit. Moreover, theencrypted document, brought about according to the said encryptionmethod, will not change the type of original document, i.e., maintainthe original file extension name. This encrypted electronic documentallows the secondary spread.

During the processing above, the arithmetic in said step C, using theencryption key to encrypt the electronic document data, can adopts theany of the existing encryption formula, function and combination, theunnecessary details will not be given here for it is not the core ofpresent invention. The encryption information of the said encryptedelectronic document in step D can comprise information of the authoritysetting and the serial number information of the encryption key adopted.

Besides, another important content of the present invention is thedocument decryption methods used for the safety management of the saidelectronic document, comprising steps:

-   -   A. Download or store the encrypted electronic document into the        storage unit 126 of a PC or mainframe 102 ;    -   B. Finish the installation of a common reading software        corresponding to the file type of the said electronic document        on the said PC/mainframe 102;    -   C. Connect a storage device 100 with the content of decryption        authority to the said PC/mainframe 102;    -   D. The storage device 100 is recognized by the said PC/mainframe        102, the document decryption program which is in the said        storage device 100 is run automatically;    -   E. The said document decryption program automatically take over        the scheduled operation run by the said common reading software;    -   F. Run the said common reading software to open the said        encrypted electronic document, operate the document within the        predetermined range of the rights.

Wherein, the said storage device is the storage device 100 of safetymanagement in present embodiment, with USB interface 108 and controlunit 110, located as “USB Mass Storage Device”, in the said step D, themainframe 102 identifies and according to the protocol enumerates thestorage device 100 as a “USB CDROM” device at least, making theauthority decryption program of the said document can be runautomatically. The said document decryption program (comprisingdecryption module and its loading program) can be programmedindividually, or can be programmed together with the said encryptionprogram, using the same loading program to carry out the remote threadinjection of the encryption and decryption module respectively.

Therefore, it is similar to the said document encryption method, thetechnology of the remote thread injection and the function hook ofWindows can also be used for decryption. In the said step E, through theremote thread injection technology and function hook technology, thedecryption program of document can inject the decryption module into thescheduled program process of the predetermined said common readingsoftware in the mainframe operation system 112, and then take over therelated operation predetermined by the said common reading software;thus, the step F can comprise the processing procedures: while themainframe 102 is operated to open the said encrypted electronicdocument, the read operation of the said common reading software istaken over and controlled by the said decryption module; read the dataof the encrypted electronic document; use the decryption key in thedecryption module to restore the said data and read the predeterminedoperation authority in the encryption data; the restored document dataand document operation authority can be showed on the interface of thecommon reading software finally. While a document is chosen by operatingthe mainframe 102, the decryption program which registers and takes overthe document will check the document to see whether it is an encrypteddocument; if it is not, then the said common reading software can be runto read or operate it directly. The said operation authority of documentcomprises read-write disc, print document, clipboard function andplugboard management etc. matching along with corresponding functionalfunctions. When an authority is effective and the correspondingoperation is started, the corresponding read-write function of saidoperation can be taken over. Wherein, while the encrypted electronicdocument data is read by the mainframe 102, the corresponding decryptionkey is chose from the decryption module according to the key serialnumber in the encryption information of the said encryption data; thedecryption processing can be carried out in the scheduled process of thesaid common reading software and the decrypted date will be showed bythe common reading software directly. Thus, the said decryption andshowing processing will not remain any processing data on otherpermanent storage medium, which can enhance the security of the data.

In the processing above, the said storage device 100 can bring the usingauthority information of the document on it, coordinating with scheduledoperation authority which read from the encryption data to limit theoperator's use of the said encrypted electronic document.

The whole decryption processing can not be tracked and broken because itis run in the process of the original common reading software, thesecurity and authority management of the document can manage theconfidential document limberly with high security according to theinformation of the encrypted document; at the same time, the operationis simple and transparent for users.

1. A method of decrypting an electronic document for the safetymanagement of the electronic document, comprising steps of: storing anencrypted electronic document into a storage unit of a PC or mainframe;finishing installation of a common reading software corresponding to afile type of said electronic document on said PC or mainframe;connecting a storage device with content of decryption authority to saidPC or mainframe; recognizing, by said PC or mainframe, the storagedevice, and running automatically a document decryption program which isin said storage device; taking over automatically, by said documentdecryption program, a scheduled operation run by said common readingsoftware; and running said common reading software to open saidencrypted electronic document, and operating the electronic documentwithin a predetermined range of the rights.
 2. The method of decryptingthe electronic document according to claim 1 wherein said storage devicecomprises a USB interface and control unit with its device type set asUSB Mass Storage Device such that the PC or mainframe recognizes andenumerates said storage device as a USB CDROM device so that saiddocument decryption program can be run automatically.
 3. The method ofdecrypting the electronic document according to claim 1 wherein saidtaking over automatically step comprises said document decryptionprogram injecting an decryption module into the scheduled programprocess of said common reading software in the PC or mainframe operationsystem through a remote thread injection and function hook, so as totake over the scheduled operation ran by said common reading software,and said running step comprises: taking over and controlling, by saiddecryption module, a read operation of said common reading software,while the PC or mainframe is operated to open said encrypted electronicdocument; reading the data of said encrypted electronic document first;restoring data from said encrypted data by using a decryption key in thedecryption module, and reading the scheduled operation authority in theencrypted data; and showing, by said common reading software, therestored data and the operation authority of the electronic document. 4.The method of decrypting the electronic document according to claim 3wherein the running step comprises choosing a relevant decryption keyaccording to a key serial number in encryption information of saidencrypted data and performing decryption processing in the scheduledprocess of said common reading software such that the decrypted data isshown by said common reading software directly.
 5. The method ofdecrypting the electronic document according to claim 1 wherein saidstorage device contains authority information for using the electronicdocument, which is coordinating with scheduled operation authority tolimit an operator's usage of the encrypted electronic document.